svn commit: r46576 - head/en_US.ISO8859-1/htdocs/news/status

David Chisnall theraven at FreeBSD.org
Mon Apr 20 13:31:17 UTC 2015


Author: theraven (src,ports committer)
Date: Mon Apr 20 13:31:16 2015
New Revision: 46576
URL: https://svnweb.freebsd.org/changeset/doc/46576

Log:
  Editing pass.

Modified:
  head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml

Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml
==============================================================================
--- head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml	Sat Apr 18 12:51:58 2015	(r46575)
+++ head/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml	Mon Apr 20 13:31:16 2015	(r46576)
@@ -119,17 +119,18 @@
 
       <p>We have been working hard the last few months to ensure
 	the robustness of our ASLR implementation. We have
-	written a helpful manpage. We have updated the patch on
+	written a manpage and updated the patch on
 	FreeBSD's code review system (Phabricator).  Our ASLR
-	implementation is in heavy use by the HardenedBSD team
+	implementation is in use by the HardenedBSD team
 	in production environments and is performing
 	robustly.</p>
 
       <p>The next task is to compile the base system applications as
-	Position-Independent Executables (PIEs). In order for
+	Position-Independent Executables (PIEs). For
 	ASLR to be effective, applications must be compiled as
-	PIEs. It is likely that this part will take a long time
-	to accomplish, given the complexity surrounding
+	PIEs to allow the main binary, as well as shared libraries, to be
+	located at random addresses. It is likely that this part will take a
+	long time to accomplish, given the complexity surrounding
 	building the libraries in the base system. Even if applications
 	are not compiled as PIEs, having ASLR available still
 	helps those applications (like HardenedBSD's secadm)
@@ -142,11 +143,6 @@
       <task>
 	<p>Test our patch against 11-CURRENT.</p>
       </task>
-
-      <task>
-	<p>For &os; committers: work with us to get this merged
-	  into &os;.</p>
-      </task>
     </help>
   </project>
 
@@ -224,7 +220,7 @@
       </task>
 
       <task>
-	<p>Add a new property (through xfconf-query) in order to
+	<p>Add a new property (through xfconf-query) to
 	  allow users to change the greyscale value of quicklaunch
 	  icons in x11/xfce4-dashboard (this feature is only available
 	  in the unstable release).</p>
@@ -754,7 +750,7 @@ WITHOUT_FORTH=y</pre>
 	Address and Undefined Behavior Sanitizers in the base system
 	toolchain.</p>
 
-      <p>Like the 3.5.0 release, these components require C++11
+      <p>As with the 3.5.0 release, these components require C++11
 	support to build.  C++11 support is available in &os; 10.0 and
 	later on the x86 architectures.</p>
 
@@ -1044,7 +1040,7 @@ WITHOUT_FORTH=y</pre>
 	the X.Org component updates were submitted by Matthew Rezny.</p>
 
       <p>The location where fonts get installed was overhauled and
-	the way to handle fonts from the plist got simplified.  Now all
+	the way to handle fonts from the plist has been simplified.  Now all
 	fonts are installed in <tt>/usr/local/share/fonts</tt> as
 	required by the XDG rules.  Furthermore, making a port for fonts
 	should be easier: more aspects, such as calling fc-cache(1), are
@@ -1329,7 +1325,7 @@ WITHOUT_FORTH=y</pre>
 	possible.</p>
 
       <p>First of all, we would like to welcome Tobias Berner to
-	the ranks of the area51 committers.  He has been regularly mentioned
+	the ranks of the area51 (the KDE ports staging area) committers.  He has been regularly mentioned
 	in our recent status reports, and has finally received committer
 	privileges to our experimental repository.  Becoming an area51
 	committer is usually the first step towards becoming a kde@
@@ -1672,7 +1668,7 @@ WITHOUT_FORTH=y</pre>
 	way.</p>
 
       <p>An auto-assigner for ports issues was implemented,
-	resembling what GNATS' successfully did in the past.  A <a
+	resembling what GNATS successfully did in the past.  A <a
 	  href="https://bugs.freebsd.org/bugzilla/page.cgi?id=dashboard.html">dashboard</a>
 	page within Bugzilla provides users and committers with common
 	queries and overall statistics; many other smaller tweaks,
@@ -1756,7 +1752,7 @@ WITHOUT_FORTH=y</pre>
 	of interrupt delivery without reprogramming MSI/MSI-X registers
 	or IO-APICs.  The original intent was to allow hypervisors to
 	safely delegate interrupt programming for devices owned by
-	guests to the guest OS.  But IR is also needed to avoid some
+	guests to the guest OS.  IR is also needed to avoid some
 	limitations in IO-APICs and to make interrupt rebalancing atomic
 	and transparent.  Support has been committed as r280260.</p>
 
@@ -1765,7 +1761,7 @@ WITHOUT_FORTH=y</pre>
 	It is believed that the only missing platform code to handle big
 	machines is parsing the "Processor Local x2APIC Structure" and
 	"Local x2APIC NMI Structure" from the ACPI Multiple APIC
-	Description Table (MADT), which report LAPIC IDs > 255, and
+	Description Table (MADT), which report LAPIC IDs > 255, and
 	handling boot on such systems with the x2APIC mode enabled by
 	firmware.  The work to complete that is expected to be
 	relatively trivial, and can be done with access to a real
@@ -1899,7 +1895,9 @@ WITHOUT_FORTH=y</pre>
 	interposes on all updates to virtual memory translations to
 	assert protections on physical memory, thus significantly
 	reducing the trusted computing base for memory access control
-	enforcement.  We incorporated the nested kernel
+	enforcement.  </p>
+
+      <p>We incorporated the nested kernel
 	architecture into &os; on x86-64 hardware by write-protecting
 	Memory-Management Unit (MMU) translations and de-privileging the
 	untrusted part of the kernel, thereby enabling the entire
@@ -1910,8 +1908,11 @@ WITHOUT_FORTH=y</pre>
 	against code injection attacks.  We also demonstrate, by
 	introducing write-mediation and write-logging services, that the
 	nested kernel architecture allows kernel developers to isolate
-	memory in ways not possible in monolithic kernels.  The
-	performance of the nested kernel prototype shows modest
+	memory in ways not possible in monolithic kernels, though security
+	benefits from this will require adding policies that have not yet been
+	designed.</p>
+
+      <p>The performance of the nested kernel prototype shows modest
 	overheads: less than 1% average for Apache, 3.7% average for
 	sshd, and 2.7% average for kernel compilation.  Overall, our
 	results and experience show that the nested kernel design can be
@@ -1939,21 +1940,15 @@ WITHOUT_FORTH=y</pre>
 
       <p>We are very interested in feedback on the design of the
 	nested kernel, and having discussions about how it might get
-	upstreamed.  This is our first time contributing to an open
-	source project, so even simple advice is likely to be useful.</p>
+	upstreamed.  </p>
 
       <p>We are also hoping to gain additional contributors and
 	interest in the project!  The nested kernel has the potential to
 	enhance commodity operating system design, and &os; is a major
 	operating system in use today which has high impact.
-	However, the implementation is merely a research prototype and
+	The current implementation is merely a research prototype and
 	requires significant effort to make production-ready (see the
-	list of tasks).  Some of this work is underway during
-	refactoring for an implementation in the <a
-	href="https://www.freebsdfoundation.org/journal/articles">HardenedBSD
-	project</a>, which is a much cleaner version of the core system
-	and is integrated into the &os; build system, but is only about
-	50% completed.</p>
+	list of tasks).  </p>
 
       <p>Finally, we have developed an interface to write-protect
 	data structures in the kernel and are soliciting ideas for uses
@@ -1976,7 +1971,7 @@ WITHOUT_FORTH=y</pre>
 	  specially consider the stack if it is used to execute code),
 	  protect IDT and SMM, and add IOMMU protections.  We also need to
 	  do some optimizations where we batch calls into the nested
-	  kernel on process creation (FORK) and mmap operations.  The
+	  kernel on process creation (<tt>fork</tt>) and <tt>mmap</tt> operations.  The
 	  motivation for these implementation directives can be reviewed
 	  in the paper.</p>
       </task>
@@ -1986,7 +1981,7 @@ WITHOUT_FORTH=y</pre>
       </task>
 
       <task>
-	<p>Port and refactor for a newer version of &os;.  The
+	<p>Port and refactor for &os;-HEAD.  The
 	  current implementation is a research prototype and requires some
 	  refactoring to make it clean and consistent, as well as make it
 	  relevant to modern versions of &os;.</p>
@@ -2586,18 +2581,18 @@ WITHOUT_FORTH=y</pre>
     </links>
 
     <body>
-      <p>Lots of work has been done on the pkg(8) front, that brought
+      <p>Lots of work has been done on the pkg(8) front, which has brought
 	pkg(8) to the 1.5.0 release.</p>
 
       <p>Special attention has been spent on the test suite, the
 	number of tests went from around 20 to more than 70. Mostly
-	functional tests. Each test can in fact test many different
+	functional tests, each of which tests many different
 	features.</p>
 
       <p>One of the main highlights is initial support for
-	provides/requires has been implemented, while it is still
-	simple, it is good enough to allow fixing lot of situation when
-	dealing with php related ports: able to safely upgrade from one
+	provides/requires.  This is still
+	simple but is good enough to allow fixing lot of situations when
+	dealing with php-related ports: PHP can now safely upgrade from one
 	major version to another.  This allows for the pecl/pear
 	packages to be reinstalled each time a minor php upgrade is
 	done.</p>
@@ -2615,7 +2610,7 @@ WITHOUT_FORTH=y</pre>
 	    plist</li>
 	</ul>
 
-       <p>pkg now support fetch resume for http/ftp</p>
+       <p>pkg now supports resume for http/ftp downloads</p>
     </body>
 
     <help>


More information about the svn-doc-all mailing list