
Building the XNU kernel on macOS Sierra - mikalv
https://0xcc.re/building-xnu-kernel-macosx-sierrra-10-12-x/
======
jarjoura
XNU open source bits from Apple are always a tiny subset of the actual kernel
code. Plus, long gone are the people who Apple hired from the FreeBSD world
who believed in it enough to push internally for it. So who knows at this
point what is filtered out at publish time.

Don't get me wrong, it's great to read how file drivers really work, and read
how XNU manages virtual memory, but other than that, it's a pretty crappy
drop.

~~~
mikalv
Yea personally I'm mostly fascinated with the semi microkernel architecture. I
don't really mind that the rest is closed. And yea, I've suspected they lost
some good people after seeing all the new security issues in the kernel the
past years.

If only wayland was more mature, and the Linux world would have put down X11
once and for all, I would be back on Linux a long time ago :)

~~~
ori_b
> If only wayland was more mature, and the Linux world would have put down X11
> once and for all, I would be back on Linux a long time ago :)

I'm curious why Wayland changes things for you. X11 is warty as hell, but
that's generally not something visible to the user. I don't go "Eww, they
didn't bother framing the graphics message packets properly -- I'm going to
use another OS".

~~~
mikalv
Haha, well it's not only X11, but it's one of the main reasons. Other reasons
are that for my usage and work, it just "works", no hours of configuration in
dotfiles. Also it's convenient as a cross platform developer, since I can just
crosscompile to Linux and Windows(mingw) via Docker. However, without the Mac,
you'll have to break some licenses with a hackintosh. I think the project is
cool, but in work related situations I can't do that because of legal reasons.

This also reminds me about a cool project I've found, but not had time to test
yet; [https://github.com/shinh/maloader](https://github.com/shinh/maloader)

~~~
unixhero
Yeah. Linux is not like that any more.

Try Linux Mint. The only configuration you will do is to enter your username
and password.

~~~
nickpsecurity
And then again when their site gets subverted and you have to reinstall since
you might have a rootkitted binary. I loved Mint for its incredible usability.
Just can't recommend a supplier whose security was that bad.

~~~
unixhero
Nah. You can't hold a 'maintainer transgression' which happened two years ago
against them forever.

They have indeed implemented solid checks and offer a Shaxxx-sum file for
every iso file they publish. Not only that, bt publicly "soul searched" and
went to great lenghts to assure the community and its users that such mistakes
would not be repeated. Now verifying the authenticity of the iso file actively
encouraged, on the download page.

They made a mistake, took solid steps to improve, and the show has moved on.
You should too, instead of smearing the project far far down the line. (I'm
being retorical, I know)

~~~
nickpsecurity
The project's security sucked across the board. They didn't care or know how
to do it. One hacker here even appeared to hack them in mid-discussion and
post database credentials that showed they were using defaults. They then
implemented a mitigation after bad press and soul searching. The thing I'm
doing isn't smearing the project: it's letting people know not to trust its
security without 3rd party verification (esp pen tests). That's because (a)
it's a sane default for any project and (b) this one failed hard on the basics
at least once.

So, I advise caution until I see a 3rd party evaluation showing their security
is good now. You apparently followed them carefully. Did any security
professionals look at their site/db/whatever after the fixes and give
independent confirmation? That's all I'd need to stop reminding people of
this.

------
voltagex_
Excellent! PureDarwin [1] is still plodding along slowly.

1: [http://www.puredarwin.org/](http://www.puredarwin.org/)

~~~
mikalv
Yea, I got surprised they didn't have more documentation, at least updated.

~~~
voltagex_
Contact details are in my profile - if there's anything in particular you're
looking for I can ping a few people from the project.

~~~
mikalv
Thanks, but I actually talked with the people in the project a few years back,
and have on my todo list to do it again soon :)

------
steeleduncan
Is there a better approach for experimenting with filesystems than editing the
kernel sources, recompiling and then running in a VM? e.g. A C library
providing the necessary interface for the sources to drop into a kernel
eventually, but also allowing you to run tests, set breakpoints, etc within an
IDE.

Of course you can get a long way accessing a block device directly with FUSE,
but ultimately you end up developing a FUSE library, not something you can use
within the kernel.

------
dcow
I'm sorry but I stopped reading because you've chosen to break lines mid-word
(reading on mobile). Justified text would be a lot easier to read.

edit: It looks like Safari's reader mode fixes things.

~~~
valarauca1
I thought this was a petty HN UI comment but no. Readying the post is painful
nearly ever other line ends in a split word on mobile.

~~~
dcow
I really tried to read it before whining. Glad to see it's much more readable
now.

------
zymhan
OpenDNS in my office is blocking access to the site because of "malware".

I can't tell if that's a legitimate warning, or it being paranoid about what
else is on the site.

~~~
mikalv
Hahaha, yes I just found out my own comany's firewall does the same. I suspect
it's the hex domain :)

Online services says it's clean and I know how to secure my own
webserver/services :)
[https://sitecheck.sucuri.net/results/0xcc.re](https://sitecheck.sucuri.net/results/0xcc.re)

