svn commit: r46576 - head/en_US.ISO8859-1/htdocs/news/status
David Chisnall
theraven at FreeBSD.org
Mon Apr 20 13:31:17 UTC 2015
Author: theraven (src,ports committer)
Date: Mon Apr 20 13:31:16 2015
New Revision: 46576
URL: https://svnweb.freebsd.org/changeset/doc/46576
Log:
Editing pass.
Modified:
head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml
Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml
==============================================================================
--- head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml Sat Apr 18 12:51:58 2015 (r46575)
+++ head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml Mon Apr 20 13:31:16 2015 (r46576)
@@ -119,17 +119,18 @@
<p>We have been working hard the last few months to ensure
the robustness of our ASLR implementation. We have
- written a helpful manpage. We have updated the patch on
+ written a manpage and updated the patch on
FreeBSD's code review system (Phabricator). Our ASLR
- implementation is in heavy use by the HardenedBSD team
+ implementation is in use by the HardenedBSD team
in production environments and is performing
robustly.</p>
<p>The next task is to compile the base system applications as
- Position-Independent Executables (PIEs). In order for
+ Position-Independent Executables (PIEs). For
ASLR to be effective, applications must be compiled as
- PIEs. It is likely that this part will take a long time
- to accomplish, given the complexity surrounding
+ PIEs to allow the main binary, as well as shared libraries, to be
+ located at random addresses. It is likely that this part will take a
+ long time to accomplish, given the complexity surrounding
building the libraries in the base system. Even if applications
are not compiled as PIEs, having ASLR available still
helps those applications (like HardenedBSD's secadm)
@@ -142,11 +143,6 @@
<task>
<p>Test our patch against 11-CURRENT.</p>
</task>
-
- <task>
- <p>For &os; committers: work with us to get this merged
- into &os;.</p>
- </task>
</help>
</project>
@@ -224,7 +220,7 @@
</task>
<task>
- <p>Add a new property (through xfconf-query) in order to
+ <p>Add a new property (through xfconf-query) to
allow users to change the greyscale value of quicklaunch
icons in x11/xfce4-dashboard (this feature is only available
in the unstable release).</p>
@@ -754,7 +750,7 @@ WITHOUT_FORTH=y</pre>
Address and Undefined Behavior Sanitizers in the base system
toolchain.</p>
- <p>Like the 3.5.0 release, these components require C++11
+ <p>As with the 3.5.0 release, these components require C++11
support to build. C++11 support is available in &os; 10.0 and
later on the x86 architectures.</p>
@@ -1044,7 +1040,7 @@ WITHOUT_FORTH=y</pre>
the X.Org component updates were submitted by Matthew Rezny.</p>
<p>The location where fonts get installed was overhauled and
- the way to handle fonts from the plist got simplified. Now all
+ the way to handle fonts from the plist has been simplified. Now all
fonts are installed in <tt>/usr/local/share/fonts</tt> as
required by the XDG rules. Furthermore, making a port for fonts
should be easier: more aspects, such as calling fc-cache(1), are
@@ -1329,7 +1325,7 @@ WITHOUT_FORTH=y</pre>
possible.</p>
<p>First of all, we would like to welcome Tobias Berner to
- the ranks of the area51 committers. He has been regularly mentioned
+ the ranks of the area51 (the KDE ports staging area) committers. He has been regularly mentioned
in our recent status reports, and has finally received committer
privileges to our experimental repository. Becoming an area51
committer is usually the first step towards becoming a kde@
@@ -1672,7 +1668,7 @@ WITHOUT_FORTH=y</pre>
way.</p>
<p>An auto-assigner for ports issues was implemented,
- resembling what GNATS' successfully did in the past. A <a
+ resembling what GNATS successfully did in the past. A <a
href="https://bugs.freebsd.org/bugzilla/page.cgi?id=dashboard.html">dashboard</a>
page within Bugzilla provides users and committers with common
queries and overall statistics; many other smaller tweaks,
@@ -1756,7 +1752,7 @@ WITHOUT_FORTH=y</pre>
of interrupt delivery without reprogramming MSI/MSI-X registers
or IO-APICs. The original intent was to allow hypervisors to
safely delegate interrupt programming for devices owned by
- guests to the guest OS. But IR is also needed to avoid some
+ guests to the guest OS. IR is also needed to avoid some
limitations in IO-APICs and to make interrupt rebalancing atomic
and transparent. Support has been committed as r280260.</p>
@@ -1765,7 +1761,7 @@ WITHOUT_FORTH=y</pre>
It is believed that the only missing platform code to handle big
machines is parsing the "Processor Local x2APIC Structure" and
"Local x2APIC NMI Structure" from the ACPI Multiple APIC
- Description Table (MADT), which report LAPIC IDs > 255, and
+ Description Table (MADT), which report LAPIC IDs > 255, and
handling boot on such systems with the x2APIC mode enabled by
firmware. The work to complete that is expected to be
relatively trivial, and can be done with access to a real
@@ -1899,7 +1895,9 @@ WITHOUT_FORTH=y</pre>
interposes on all updates to virtual memory translations to
assert protections on physical memory, thus significantly
reducing the trusted computing base for memory access control
- enforcement. We incorporated the nested kernel
+ enforcement. </p>
+
+ <p>We incorporated the nested kernel
architecture into &os; on x86-64 hardware by write-protecting
Memory-Management Unit (MMU) translations and de-privileging the
untrusted part of the kernel, thereby enabling the entire
@@ -1910,8 +1908,11 @@ WITHOUT_FORTH=y</pre>
against code injection attacks. We also demonstrate, by
introducing write-mediation and write-logging services, that the
nested kernel architecture allows kernel developers to isolate
- memory in ways not possible in monolithic kernels. The
- performance of the nested kernel prototype shows modest
+ memory in ways not possible in monolithic kernels, though security
+ benefits from this will require adding policies that have not yet been
+ designed.</p>
+
+ <p>The performance of the nested kernel prototype shows modest
overheads: less than 1% average for Apache, 3.7% average for
sshd, and 2.7% average for kernel compilation. Overall, our
results and experience show that the nested kernel design can be
@@ -1939,21 +1940,15 @@ WITHOUT_FORTH=y</pre>
<p>We are very interested in feedback on the design of the
nested kernel, and having discussions about how it might get
- upstreamed. This is our first time contributing to an open
- source project, so even simple advice is likely to be useful.</p>
+ upstreamed. </p>
<p>We are also hoping to gain additional contributors and
interest in the project! The nested kernel has the potential to
enhance commodity operating system design, and &os; is a major
operating system in use today which has high impact.
- However, the implementation is merely a research prototype and
+ The current implementation is merely a research prototype and
requires significant effort to make production-ready (see the
- list of tasks). Some of this work is underway during
- refactoring for an implementation in the <a
- href="https://www.freebsdfoundation.org/journal/articles">HardenedBSD
- project</a>, which is a much cleaner version of the core system
- and is integrated into the &os; build system, but is only about
- 50% completed.</p>
+ list of tasks). </p>
<p>Finally, we have developed an interface to write-protect
data structures in the kernel and are soliciting ideas for uses
@@ -1976,7 +1971,7 @@ WITHOUT_FORTH=y</pre>
specially consider the stack if it is used to execute code),
protect IDT and SMM, and add IOMMU protections. We also need to
do some optimizations where we batch calls into the nested
- kernel on process creation (FORK) and mmap operations. The
+ kernel on process creation (<tt>fork</tt>) and <tt>mmap</tt> operations. The
motivation for these implementation directives can be reviewed
in the paper.</p>
</task>
@@ -1986,7 +1981,7 @@ WITHOUT_FORTH=y</pre>
</task>
<task>
- <p>Port and refactor for a newer version of &os;. The
+ <p>Port and refactor for &os;-HEAD. The
current implementation is a research prototype and requires some
refactoring to make it clean and consistent, as well as make it
relevant to modern versions of &os;.</p>
@@ -2586,18 +2581,18 @@ WITHOUT_FORTH=y</pre>
</links>
<body>
- <p>Lots of work has been done on the pkg(8) front, that brought
+ <p>Lots of work has been done on the pkg(8) front, which has brought
pkg(8) to the 1.5.0 release.</p>
<p>Special attention has been spent on the test suite, the
number of tests went from around 20 to more than 70. Mostly
- functional tests. Each test can in fact test many different
+ functional tests, each of which tests many different
features.</p>
<p>One of the main highlights is initial support for
- provides/requires has been implemented, while it is still
- simple, it is good enough to allow fixing lot of situation when
- dealing with php related ports: able to safely upgrade from one
+ provides/requires. This is still
+ simple but is good enough to allow fixing lot of situations when
+ dealing with php-related ports: PHP can now safely upgrade from one
major version to another. This allows for the pecl/pear
packages to be reinstalled each time a minor php upgrade is
done.</p>
@@ -2615,7 +2610,7 @@ WITHOUT_FORTH=y</pre>
plist</li>
</ul>
- <p>pkg now support fetch resume for http/ftp</p>
+ <p>pkg now supports resume for http/ftp downloads</p>
</body>
<help>
More information about the svn-doc-all
mailing list