* Cryo turns down the lights Welcome to The NetBSD Foundation Annual General Meeting 2024! . I will be the voice bot^W^Wmoderator for this year. . In the agenda we will have reports from: - board (billc) - secteam (billc) - releng (leot) - finance-exec (riastradh) - admins (spz) - membership-exec (wiz) - pkgsrc-pmc (wiz) - pkgsrc-security (leot) - gnats (dh) . If there are any last-minute additions please /msg me! . Q&A will be at the end. . When Q&A begins please /msg me "I have question for " or "I have question for " and I will give you voice when it is your turn. . We can start with the board presentation! Cryo, please go ahead - - submitted by billc for board: - Hello, and welcome to the 22nd Annual General Meeting of The NetBSD Foundation. - First off, I'd like to thank for volunteering to handle moderating and admins for doing the behind the scenes magic to make this event (and all our communication) possible. - We finally release NetBSD-10 after years of development with innovative new features, improvements, and more bug fixes. Your commits are very much appreciated, as is your continued support of the foundation. - Now on to the report from the Board of Directors: - The NetBSD Foundation Board of Directors presents a consolidated list of the relevant and major actions that occurred since last AGM. Quite a few discussions, actions, and follow-ups crossed multiple meetings. Very few meetings resulted in not reaching quorum. Check our weekly meeting minutes in: localsrc/tnf/board/minutes for the latest on our progress. During this period, new director(s) were elected by the members and officers were renewed or installed. ? We continued with our Bronze level sponsorship support of BSDcan, AsiaBSDcon, and EuroBSDcon to improve our representation at conferences and developer summits. - We participated in the Google Summer of Code for 2023 and attended the virtual Google Summer of Code Mentor Summit. We are currently participating in GSoC this year with 5 students! - o - Test root device and root file system selection o - ALTQ refactoring and NPF integration o - puffs(3) bindings for Lua + SquashFS in Lua o - Emulating Missing Linux Syscalls: Tackling ?The L2N Problem? o - Making Network Drivers MPSAFE in NetBSD - Like last year, we have provided core with a pre-approved, reasonable budget, to spend as they see most fit without an additional confirmation step from us. - We continued to improve our interaction and relationships with vendors, as well as participating in industry PSIRT/CSIRT with commercial vendors and other open-source projects. - The funded contracts continued for: o - improvements in release engineering - We are 75% through a fundraising campaign. Please consider donating, as we are a US IRS 501(c)3 charitable organization. - [let us pause for a moment of silence] In memoriam: We were notified that Wayne Knowles (wdk@) had passed beyond the rim at the end of 2022. We are eternally grateful for his contributions to the NetBSD/mipsco port, and are dedicating NetBSD-9.4 to his memory. We are honored to have had his support and friendship. - It has been an honor and pleasure to continue working with abs, leot, khorben, mlelstv, riastradh, and wiz to accomplish all that we have in this year. - .eof I will go ahead and do the social media update: - submitted for socialmedia by billc: - A non-scientific representation of Social Media Presence: - X, formerly Twitter: (very active) @netbsd still has 10,000 followers @pkgsrc has 694 followers down from 704 NOTE: Due to changes in X/Twitter management, people have left. - - We have an account on the distributed social network ActivityPub ('the fediverse' or better known as Mastodon), where we have a small but dedicated fan base: - @netbsd@mastodon.sdf.org has 1800 followers up from 1077 (very active) - - Facebook: 2,400 3,200 down from 3,200 members (sort of active) - On IRC our numbers are stable. To help improve connectivity options, we have a Matrix bridge to our IRC channel. - irc.libera.chat users: (very very active) #NetBSD: 284 up from 276 #NetBSD-code: 53 down from 59 #pkgsrc: 109 up from 107 - .eof Thanks Cryo! Next it's the secteam presentation... please go ahead Cryo! and I'm back! (presenting for agc) - - submitted by billc for secteam: - This is a brief report for security-team. - Since last AGM, there have been 8 NetBSD Security Advisories: ------------------------------------------------------------- NetBSD-SA2024-001 Inadequate validation of user-supplied hostname in utmp_update(8) - NetBSD-SA2023-007 multiple vulnerabilities in ftpd(8) NetBSD-SA2023-006 KDC-spoofing in pam_krb5 NetBSD-SA2023-005 su(1) bypass via pam_ksu(8) NetBSD-SA2023-004 procfs environ exposure NetBSD-SA2023-003 Structure padding memory disclosures NetBSD-SA2023-002 Various compatibility syscall memory access issues NetBSD-SA2023-001 Multiple buffer overflows in USB drivers - There have been numerous bug fixes applied to the tree, pulled up to the NetBSD-10 branch, and in the NetBSD-9 and NetBSD-10 releases. - NetBSD continues to be represented in a product security incident response working group with other operating system vendors, as well as a direct contact team with other BSD projects. This framework allows us to better work with vendors requiring an embargoed and/or coordinated release with other operating systems. We can begin working on issues that affect NetBSD much faster, instead of only notified after an embargo is lifted. We are expanding the number of vendors as time goes on, as well as participating in FIRST. - This is teaching us quite a bit of where we needed to improve our process, which is currently on-going. - Submitted respectfully on behalf of the security-officer(s), the security-team, and the sirt team. - .eof Thanks again Cryo! We have not the releng@ presentation, prepared by . He's AFK so I will present it. - We are: abs agc bouyer he jdc martin msaitoh phil reed riz sborrill snj Since the last meeting, we have: o - Released NetBSD 10.0, 9.4 and 8.3 o - announced end-of-support for netbsd-8 o - Processed hundreds of pullup requests. o - Continued preparations to make the build cluster independent from cvs The biggest hurdle was the long and stony way to finaly get 10.0 out of the door. Now we are heading for 10.1. Since nothing urgent poped up so far (that is: no disaster have been discovered in the 10.0 release) we can give it a few month, maybe late september. The massive ammount of pullups that got into the netbsd-10 branch was only possible because developers took the time to test their changes on the branch and submit a pullup request. We have been pretty good with this, and pulled up lots of security and usability improvements, as well as bug fixes to the various active branches. This is good for our users, thank you to everyone who cared and made it possible. We are now looking forward to a netbsd-11 branch (maybe late this year) and hope that this time things will go a lot faster and more smoothly. This is currently planned to include the new wifi work, but we are not going to delay the branch if that will not be ready. Watch me poking my onw nose - the wifi work has been massively delayed due to heavy releng workload, but that should be over now. Thanks to everyone who tested the branch and filled tickets, and keep both the tickets and the pullup requests coming! - EOF Thanks Martin! It is now time for finance-exec@ presentation. Riastradh, please go ahead! Finance-exec maintains The NetBSD Foundation's financial records and assets at the board's direction. We balance the books, hoard the cash (and non-cash financial instruments), and send thank-you letters to donors so they can get tax deductions (in the US). . We are: - christos (Christos Zoulas) - reed (Jeremy C Reed) - riastradh (Taylor R Campbell) . The NetBSD Foundation's public 2023 financial report is at: https://www.NetBSD.org/foundation/reports/financial/2023.html We produce this from an internal ledger maintained with ledger(1) . . Highlights: - We have net assets of a little over 270k USD. - We took in about 61k USD -- well over our usual annual target! - We also spent 45k USD, primarily on release engineering, wifi update, and new server hardware for package builds. - We expect to increase spending this year to replace our aging NetBSD autobuild cluster too and finish the wifi update. . We have been working on better automating the donation thank-you process, which is currently only semiautomated -- requires clicking a dozen different buttons to process an RT ticket, something Christos usually does in a batch once a month, in case you were wondering why it takes so long to get a donation acknowledgment (sorry!). We had a GSoC student to work on this but the project stalled after GSoC. . Happy to answer any questions about what finance-exec does, or swap notes on using ledger(1)! Thanks, -Riastradh, on behalf of finance-exec Thank you Riastradh! It is now time for the admins@ presentation! spz, please go ahead! good localtime() all , admins is the following people: christos, dogcow, kim, mspo, phil, riastradh, riz, seb, soda, spz, tls , Statistics: - admins runs the following TNF systems: @ TastyLime + 8 hardware systems and 6 Xen guests = 1 earmv7hf, the rest amd64 @ Columbia University + 10 hardware systems = all amd64 @ Washington University + 7 hardware systems = 1 earmv7hf, 1 aarch64 and the rest amd64 @ Regensburg (commercial housing) + 2 hardware systems, one of them with 2 Xen guests, = all amd64 , - CDN services donated by Fastly - Housing donated by TastyLime, WWU, Columbia and spz , NetBSD versions in use: 1 pre-8.1 (earmv7hf, a console server) 1 8.1_STABLE (earmv7hf, a console server) 1 9.0_STABLE 4 9.1_STABLE 10 9.2_STABLE 4 9.3_STABLE 1 9.4 1 9.99.* 1 10.0_BETA 2 10.0_RC1 1 10.0_STABLE , Changes: We retired 4 hardware systems and gained 2 new ones, which are @WWU: + babylon4 which is running anita tests + shadow which is doing package builds for x86_64 and i386. With shadow, the "time to packages" after a new pkgsrc branch has been cut from 2-3 weeks to 2-3 days. , Riastradh spent quite some time on the mail system to make it do DKIM etc so we can still send mail to Google mail accounts. , Notable plans: We will have to leave Columbia and will use the occasion to update the build environment so that the new location receives less RU. , I will be updating servers the next two weeks since I have some time off, be forewarned. , Thanks to riz, tls and phil for their resources, time and blood sacrifices, too. :} , Back to moderator. Thank you spz! It's now time for membership-exec presentation! wiz00, please go ahead! (This presentation was prepared by martin@ who can't be here today.) - The current members of membership-exec are: - Christos Zoulas - Martin Husemann - Lex Wennmacher - Thomas Klausner , and - Ken Hornstein who is on sabbatical. - Membership-exec is responsible for all aspects of "membership", but in practice the main task is to handle membership applications. The number of active developers (as of 2024-05-16) is 146. Note that this number is a bit outdated, as the commit counting required for the board election has not yet happened for this year. - Since the last AGM we gained 5 new developers, which is way too few. We need to invite more people, please help active users and encourage them to apply. - The difference between developers and active developers is explained in the bylaws - an active developer has actually committed something in the last year, or contributed in an active way, like admins. - We'd like to emphasize that we appreciate all your replies to our membership RFC e-mails, although we do not usually acknowledge them. Please keep on providing feedback to the RFC mails. that's it from membership-exec. Thank you wiz00! It's now the time for the pkgsrc-pmc@ presentation... Please go ahead wiz00! The pkgsrc team kept thousands of packages in pkgsrc up to date and in good working order, and delivered four -- the 79th through 82nd -- stable branches. Great work! - The pkgsrc team has welcomed one new developer, ktnb. - Bigger planned changes for the near future: - phase-out of Python version 2 - switching the pkgsrc repository to git - deprecating Python 3.8 support since many upstreams started doing that - Topics that could do with help - keeping rust working on NetBSD platforms outside of amd64 - maintaining the pkg-vulnerability database in pkgsrc/doc pkgsrc-security needs more people! - Thank you for your help! -- wiz, for pkgsrc-pmc Thanks again wiz00! It is now time for pkgsrc-security presentation. This presentation was prepared by Thomas Merkel but he's AFK and I will present it. - The mission of the pkgsrc Security Team is to ensure that the ever-growing ecosystem of third party software is either safe to use or at least be sure people are aware of the known vulnerabilities. - Our members monitor publicly available vulnerability feeds, mainly CVE. - We aggregate received advisories believed to impact pkgsrc into the pkgsrc vulnerability list. When time allows we try to notify individual package MAINTAINERs and locate, commit patches to fix the vulnerabilities. - Since 2021 our ticket handling crew is currently only 2 people, unfortunately pretty understaffed. We are looking and welcome people volunteering to join us! - Currently handling tickets are: - Leonardo Taccari - Thomas Merkel - The other current members of the team are: - Thomas Klausner - Tobias Nygren - Tim Zingelman - The year in numbers: In 2023, the vulnerability list had 717 lines added to it (661 less than last year) for a total of 30401 known vulnerabilities. In 2022, the ticket queue received 30401 new advisories (3971 more than last year). Of these 30401 new advisories: new: 1027 ( 3.4%) (not able to handle in 2023) stalled: 0 ( 0.0%) resolved: 717 ( 2.3%) (affecting pkgsrc packages) rejected: 28653 (94.3%) (no impact or duplicates) - The current count of vulnerable packages in pkgsrc-current is 707 (33 less than last year), in pkgsrc-stable is 729 (21 less than last year). See the periodic email to packages@NetBSD.org for the list. But we've 2834 vulnerabilities to review! We can always use help locating and committing security patches, in particular for the many of these that are maintained by pkgsrc-users. - On November 2023 NVD deprecated the RSS feed that we used for getting CVE vulnerabilities entries. and have written a script to switch to the NIST National Vulnerability Database API. If you are more curious it is available under localsrc/security/pkgsrc-security/programs/cve2email.py. Thanks and ! - We encourage all developers to help us keep the vulnerability list up-to-date. If you become aware of a security issue or perform a security update in pkgsrc please edit the list. You don't need any special privilege for this. You'll find the list in pkgsrc CVS repository: pkgsrc/doc/pkg-vulnerabilities - Please join the pkgsrc Security ticket handling crew, we're pretty understaffed at the moment! Feel free to get in touch with us for additional details or an introduction. - EOF Next we have... gnats presentation! dholland, please go ahead! Here's the bug database report since the last AGM (12 months): GNATS statistics for 2023 (as of May 18 2024) New PRs this year: 858, of which 593 are still open. Closed PRs this year: 551. Net change: +307. Total PRs touched this year: 1057. Oldest PR touched this year: 3019. Oldest open PR: 1677; PR ignored for the longest: 4691. Total number open: 6348 Last year after resisting for some time we went past 6000 open; having crossed that psychological barrier, this year the backlog has pretty much just steadily increased. There's always more volume with a release in the works. This year's new PR count is up by almost 50% over last year, and the number closed is almost as large as last year's total influx. More traffic is not exactly a good thing, but it's not really bad either, because it seems to reflect community engagement. This is the weekly plot: * 6380 ******** *********** *********** *************** *********************** * ******************************** ****************************************************** 6020 (sorry, seem to have messed that up slightly, ignore the insert) Note that the variation shown in the graph is only around 5% of the total. If it used zero as the origin the limits of ASCIIthe total. If it used zero as the origin the limits of ASCII plots would leave the line entirely flat. Handling the backlog remains difficult. This is mostly a tooling problem; alas, resources and energy to deal with it are scarce. If anyone was wondering, the oldest open PR (PR 1677) is about a panic in unionfs. This is unfortunately still current. The most untouched PR (PR 4691) is about ECC memory handling on sun3; it's new to this spot because of activity in the old one (PR 3019) this year. Anyhow, here are the people who've been fixing the most bugs, as counted by commit messages found in PRs closed during the year. 20 martin@netbsd.org 22 rin@netbsd.org 30 wiz@netbsd.org 32 christos@netbsd.org 133 riastradh@netbsd.org This list always has a very long tail; this year there were 63 people who fixed or helped fix at least one bug report. This is down slightly from last year, but only by a little. Thanks to one and all. And here are those who've been processing pullups, according to the same analysis: 1 msaitoh@netbsd.org (releng) 1 riz@netbsd.org (releng) 1 sborrill@netbsd.org (releng) 1 snj@netbsd.org (releng) 2 spz@netbsd.org (releng) 8 bsiegert@netbsd.org (releng) 9 bouyer@netbsd.org (releng) 248 martin@netbsd.org (releng) This is skewed far more toward Martin even than last year. Many, many, many thanks, Martin. Thanks dholland! We can start the Q&A time. If you have any questions please `/msg leot ` and I will voice you. No questions? OK! Let's go ahead... Cryo, the floor is your! Whoops, sorry! One question! - Thanks to all the places that host our server machines and thanks to all kind heroes who do hands-on work too on them! for core(?) what are plans for maintaining "currency" of video drivers? riastradh@ did a huge amount of work in 10.0 but we are already falling far behind current hardware. Perhaps a funded position would help? We'll do a drm update, I was mostly waiting for netbsd-10. thanks. are you targetting 11.0? hope so great! Thanks PGoyette and Riastradh! We have another question in the queue. for releng: the pullups are handled by martin mainly. Is it expected and is there a need or way to reduce his load on this? Anyone from releng and/or who can answer that? (if you do not have voice feel free to /msg me) andvar: martin is doing a lot of the releng work on a part-time consulting basis (part of the $17k we paid on consulting last year), so that's expected, but also it wouldn't hurt to have more releng hands. OK, thanks. In case hands are needed, this work may be possible for me from time to time. Thanks andvar and Riastradh! - Thanks to all the executive committees who do a lot of work behind the scenes to keep everything running smoothly! - Thanks to everyone who is running our services, participating and helping in mailing lists, chat and other communities and filling PRs! - Finally, thank you, for being part of this process today, fixing bugs, committing new features and making NetBSD and pkgsrc the best operating system and packaging system! - We couldn't do it without you, and please keep up the excellent work! - - Respectfully submitted on behalf of the Board of Directors .eof Now, let's crank it up to 11. o/ Thank you all for coming We appreciate you taking time to come to our AGM We look forward to the NetBSD-11 release, and seeing you at the next AGM (optimistically) * Cryo closes the curtains and gets the broom out for the popcorn on the floor... watch out for spilled drinks. EOF Copyright 2024, The NetBSD Foundation, Inc. All Rights Reserved. Objects may appear closer in mirrors. * spz whaps Cryo with a small trout for the pun who left these bricks laying around? See y'all next year!