Verification complete with a successful result!

My next project will be a #Radicle orchestrator process that can mirror our repos to third-party resource (like our read-only presence on GitHub).

While I find #Rust easy to read, I haven't written much #Rustlang code yet. This will be a good exercise in learning Rust. :-)

The main idea is to implement bunches of features in this orchestrator (the first being the aforementioned repo mirroring support.) The next feature will likely be per-commit emails and issue/patch notifications via #Pushover.

I was hoping to start on the orchestrator today, but I'm being hit hard by vertigo, nausea, and a migraine today.

Perhaps I'll just prepare the #HardenedBSD 16-CURRENT build server to start building the hardened/current/pledge branch on a quarterly basis.

Yes, that means this feature branch will be testable (and usable?) by the general public.

Next month starts the new quarter. I'll likely propose a Call For Testing (CFT) to the community after the first official build completes.

#OpenBSD #Pledge #infosec

@lattera Do you have a link to a patch/commit or a previous discussion somewhere to look at?

I don't know what Radicle is supposed to be, but it's making me lose interest real quick.. ​

@brynet we only have this link: https://radicle.network/nodes/rad.hardenedbsd.org/rad:z2HLHXgL1xevBNQsf8BmQW7MpJmtm/tree/hardened%2Fcurrent%2Fpledge

Our server is indeed pretty slow, so it might take a few attempts (spread those attempts out with 3-5 minute intervals, please).

@brynet I'm trying to work out the reason why you're having issues with the web UI. I wanted to isolate whether the problem was with the Radicle seed VM, with our main nginx VM, or an issue with the links (ISPs) between you and me.

What do the following domains resolve to?

You should only see DNS A records. If you see DNS AAAA records, I need to prune those.

If you cannot reach https://installers.hardenedbsd.org/ then the issue is with an ISP between you and me. The reason being is that https://rad.hardenedbsd.org/ is the same web server as https://installers.hardenedbsd.org/.

If you can reach https://installers.hardenedbsd.org/ that means there's something wrong with our Radicle integration.

The idea (currently--I cannot speak for the project's future) is that Radicle's webUI is read-only. Folks can view the source code, issues, and patches via the webUI.

Users wishing to open new issues or patches, or comment on existing ones, will need Radicle installed on their system. They would need to use the Radicle CLI.

@brynet oh, in this case, there isn't a way to diff between branches in the webUI (to my knowledge--I might be mistaken).

You can view issues and patches, along with the discussions on them, via the webUI. That view is read-only.

Currently, the pledge branch (hardened/current/pledge) is not a "patch"--just a different branch. When the time is right, we'll convert this feature branch into a patch that can be reviewed via the webUI.

In order to generate a diff between hardened/current/master (our primary development branch) and the hardened/current/pledge branch yourself, you would need to have the src repo downloaded on your end and generate the diff with git diff hardened/current/master hardened/current/pledge)

Alternatively, I could generate that diff for you and upload it to https://hardenedbsd.org/~shawn/ .

@lattera Ah. So that answers my question, there is no way to compare between branches, or search for commits, or grep the source tree.. okay, thanks.

A patch would be convenient, but I was only curious.. if the plan is to open an issue with the final patch for review later, I can wait until then.

@brynet command used to generate this diff:

$ git diff -U100 rad/hardened/current/master rad/hardened/current/pledge`

https://hardenedbsd.org/~shawn/2026-06-15_pledge-01.patch.taxt

@lattera Why is this interface being called pledge? It's more like nicm@'s original prototype for tame(2), which pledge(2) superseded.

+int
+pledge(const uint64_t mask)

It's incompatible with OpenBSD pledge(2) which is already used in software today.

https://man.openbsd.org/pledge

If you're going to change the arguments, you might as well change the public name.

@brynet it's not my code. I haven't reviewed it just yet. But, this was originally written many years ago. IIRC, the function prototype for pledge() changed between then and now. (My memory is somewhat faulty and I might be misremembering.)

I do know there are some crucial differences, like persistence across the execve(2) boundary.