OpenBSD Journal

In a recent blog post When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, Rafael Sadowski (rsadowski@) takes a deep dive into an infrequently mentioned feature of our favorite operating system: file immutability and the chflags command. From the article:

In -current,the struct underlyingstdio(3)'sFILE typehas beenmade opaque, with library versions bumps across the board:

Inaseriesofcommits,Anthony J Bentley (bentley@)modified the system so that font caching runs asdedicated (unprivileged) user, "_fc-cache".fc-cache(1)has been usingpledge(2)since May.

Job Snijders (job@)has added (to -current) a new utility,watch(1),for periodically executing a command and displaying its output.TheIIJ'siwatchwas initiallyimportedback in May, and has beenreworked substantiallybefore beinglinked to the build.

Yes, you read that right:KDE 6.4.0 Plasmais now in OpenBSD packages.This was made possible by the efforts of Rafael Sadowski (rsadowski@) with the help of several others.The news was announced 2025-07-04 via afediverse postand of course thecommit messageitself, where the description reads

News from the Exotic Silicon front:Crystal Kolipe posted anupdateto misc@, saying

In afediverse poston 2025-07-04,the Game of Trees Hubannounced that they will be taking signups for repository hosting:

Version 0.115of Game of Treeshas been released (and the portupdated):

Version 0.114of Game of Treeshas been released (and the portupdated):

In a fediverse post,Stefan Sperling (stsp@) asks for testing of a potential fixfor a problem affecting a number of network interface drivers(namely bge,bnx,iavf,igc,ix,ixl,ngbe andpcn),pointing to amessageon tech@ with the subjectbge/bnx/iavf/igc/ix/ixl/ngbe/pcn: ifq_restart() fix that reads

Fresh from the recently concludedj2k25 hackathon comes this report from Klemens Nanni (kn@), who writes:

In some cases, the currentdhcpd(8)is not quite as reliable as one would want in providing the requesteddata to the actual requestor.After some rounds of discussion and experimentation,David Gwynne (dlg@) is circulating adiffon tech@ that switches the daemon to useUDPsockets instead ofbpf.The motivation is summarized as,

In a long series ofcommits,Robert Nagy (robert@)updatedclang(1)/llvm/lld(1)in -current to version 19.1.7 (from version 16.0.6):

Kristaps Dzonsons(known formandoc(1),rpki-client(8),and much more)has written an article,Source code sandboxing,on sandboxingfrom the perspective of developers.It compares the facilities available under severaloperating systems, and requests relevantcontributions.As Undeadly readers might expect, OpenBSD'spledge(2)andunveil(2)receive favourable appraisal.Kristaps' article refers toSandboxing Adoption in Open Source Ecosystems,an academic article published on the subject.[In 2016, Undeadly publishedKristaps Dzonsons on pledge(2).]

Following adiscussion on tech@[initiated by a post with patch from Ted Unangst (tedu@)],the"TearFree" option has beenbackportedto the xenocaramodesetting(4)driver in -current:

Rafael Sadowski (rsadowski@),OpenBSD developer and prolific blogger,has been looking into file system performance optimizations on our favoriteoperating system, and is now sharing his tips and tricks inFFS optimizations with dirhash on his blog. He leads in with a TL;DR:

Version 0.113of Game of Treeshas been released (and the portupdated):

In a multi-part article, kraileth reviews the installers of various BSD operating systems.Part 2covers OpenBSD:

Fresh from the just concludedj2k25 hackathonin Nara, Japan, Rafael Sadowski (rsadowski@) has published his report on his blog:

Reining in file system access is hard to get right, even forOpenBSD developers. In a message to tech@ titledopenat(2) is mostly useless, sadlyTheo de Raadt (deraadt@) describes how theopenat(2)family of system calls has failed to live up to expectations in practice,and he proposes changes that may improve the situation.Theo writes,

Recently, Crystal Kolipe found that attachingsoftraidvolumes as read-only devices did not work.Then what to do?Fix the code and make it work, of course!The full story is available asStay, (write), protected!",taking us through the steps of adding a feature toOpenBSD. Enjoy!

A new profiling subsystem is now in OpenBSD-current, from the hands of none other than Theo de Raadt (deraadt@) himself.A longish sequence of commitsintroducedthechangesincrementally,with asummary as follows:

Are you an OpenBSD user with a low power device such as aPC EnginesAPU2,with one or moreem(4)network interfaces?Darren Tucker (dtucker@) has a new diff out that may be of use to you,posted in amessageto tech@:

Kirill A. Korinsky (kirill@)writes in with hisguideto setting up anEdgeRouter 4withOpenBSD/octeonto provide a failover gateway/router setup:

erspan(4),the ERSPAN collection driver created byDavid Gwynne (dlg@)[and about which we recentlyreported]has beencommittedto the tree:

Version 0.112of Game of Treeshas been released (and the portupdated):

Omar Polo (op@) hasannouncedthe release of version 7.7.0p0 ofOpenSMTPD:

Our favorite operating system is in the process of aquiring Encapsulated Remote Switch Port Analyzer (ERSPAN) support, in the form of a new virtual network interface, dubbed erspan(4).An early version of the code, but possibly close to being ready for further development in-tree waspresentedby David Gwynne (dlg@) in amessage to tech@:

Over on tech@, Ted Unangst (tedu@) isairinga patch to introduce better support ACPI WMI,looking for tests and comments:

Alexander Bluhm (bluhm@) hascommittedchanges which eliminate contentionby caching the socket lock in TCP input:

Following its recent introduction on tech@[See earlier article],David Gwynne (dlg@)hascommittedbpflogd(8)to the tree:

Following its recent introduction on tech@[See earlier article],David Gwynne (dlg@)hascommittedlldpd(8)to the tree:

Damien Miller (djm@) hascompletedthe planned[See previousarticles]removal of DSA signature support from OpenSSH:

In a message to tech@ with the subject"die DSA die", Damien Miller (djm@) presents a diff that will remove the last bits of DSA support from OpenSSH:

A longdiscussionon tech@(initiated by asuggestion/patch from Jesper Wallin)has culminated in Damien Miller (djm@)committingchanges which increase security by taking advantage of the use ofunveil(2)elsewhere in the OpenBSD ecosystem:

Klemens Nanni (kn@) hascommittedthe his proposed change[Seeprevious article]such that theOpenBSD installer now prefers disks over 1GBwhen prompting for the root disk.The commit message explains the change:

You can tell it's right after a release is cut when new ideas are fielded in patches to tech@.One such small but potentially important change that is being aired now is achangeto the installer to suggest the larger one when several disks are available. Klemens Nanni (kn@) describes the motivation for the change as

In apostto tech@,Martin Pieuchot (mpi@)has requested testing of a diff (against -current) to enablerunning the upper part of the fault handler in parallel:

LibreSSLversion4.1.0has been released.This is the version found in (the recently released)OpenBSD 7.7The release notes read,

Klemens Nanni (kn@)committed a changeremoving misleading messages on package update:

As we saw recently in theGraphed and measured: running TCP input in parallelstory, Alexander Bluhm (bluhm@) has been working on parallel TCP input, finally making tcp_input() MP-safe.This work has now beencommitted,

The OpenBSD project hasannouncedOpenBSD 7.7,its 58 release.The new releasecontains a number of significant improvements, including but certainlynot limited to:

Our favorite operating system may be on the verge of having a LLDP(Link Layer Discovery Protocol)daemon added to the base system. David Gwynne (dlg@) is circulating a patch on tech@ that introduces the daemon,

In a recentpostto tech@, David Gwynne (dlg@) introduced a new daemon to log packets from BPF.Themessagereads

Version 0.111of Game of Treeshas been released (and the portupdated,with additional useful information in the commit message):

Over on tech@, Alexander Bluhm (bluhm@) is airing a patch to improve parallel TCP input, and is looking for testers:

TheOpenBSD projecthasannouncedthe release ofversion 9.5of rpki-client:

Theo de Raadt (deraadt@) updated the versionofOpenBSD-current to "7.7-current".Those running the latest-and-greatest[via a sufficiently new snapshot or built from source]no longer need to use"-D snap" withpkg_add(1)(andpkg_info(1)).

TheOpenBSD projecthasannouncedthe release ofOpenIKED7.4:

The OpenSSH project has announced their latest release, OpenSSH 10.0.The announcement and release notes read: