OpenBSD Journal

There has long been some concern in the networking communities, particularly the routing security part, about the use of very long lived Trust Anchor (TA) certificates in routing infrastructure. Today Job Snijders (job@) commited code torpki-client(8)to implement a gradual phase in of a stricter policy on TA certificates lifetimes.The commit message reads,

Thanks toworkby David Gwynne (dlg@),OpenBSD -current now has a new"AF_FRAME"socket domain:

Claudio Jeker (claudio@)announcedthe release of version 8.7 ofOpenBGPD,the OpenBSD project'sBorder Gateway Protocol (BGP) daemon:

The initial list of 21 'low hanging fruit' videos from EuroBSDcon 2024 has been released with more to follow:

(As noted in histoot,)Rafael Sadowski (radowski@)has written a blog entry entitleddpb - distributed ports builder,which describes hisdpb(1)setup.

(As noted in histoot,)Rafael Sadowski (radowski@)has written a blog entry entitleddpb - distributed ports builder,which describes hisdpb(1)setup.

Jeremie Courreges-Anglas (jca@)committed a changewhich is likely to be welcomed by laptop users:

Soon, unwind will have support wildcard in blacklist.Here, a change that makes any domain in the blacklist that starts with '.', which is not a legal name due to an empty label, is treated as any subdomain on that zone.This means that .example.com blocks all requests to any subdomain of example.com, but allows example.com.Changes: https://marc.info/?l=openbsd-cvs&m=173244784522937&w=2

Version 0.106of Game of Treeshas been released (and the portupdated).

Version 0.105of Game of Treeshas been released (and the portupdated).Read more...

Version 0.104of Game of Treeshas been released (and the portupdated).

The LibreSSL project, a closely associated subproject of the OpenBSD project, has announced the availability of their new stable release, LibreSSL 4.0.0, which comes with a number of improvements and a sprinkling of fixes. The release announcement reads,

The work of improving ssh security by segregating functionality into separate binaries contiues, this time by introducing sshd-auth as a separate binary.The commit message summarizes why this makes sense,

Omar Polo (op@) hasannouncedthe release of version 7.6.0p0 ofOpenSMTPD.The changes (including the table protocol change on which wereported earlier)are:

Omar Polo (op@) hasannouncedthe release of version 7.6.0p0 ofOpenSMTPD.The changes (including the table protocol change on which wereported earlier)are:

The OpenBSD project hasannouncedOpenBSD 7.6,its 57 release.The new release contains a number of significant improvements, including but not limited to:

There has been a significantchangeto the behaviour ofsysupgrade(8):

Theo de Raadt (deraadt@) updatedtheversion ofOpenBSD-current to "7.6-current".Those running the latest-and-greatest[via a sufficiently new snapshot or built from source]no longer need to use"-D snap" withpkg_add(1)(andpkg_info(1)).

Our favorite operating system is now changing the default shell (ksh) to enforce not allowing invalid NUL characters in input that will be parsed as parts of the script.The commit message reads,

EuroBSDCon 2024[in Dublin, Ireland] has now ended,and slides for many of the OpenBSD developer presentationsare now available in theusual place.Video of the individual presentations can be expected somewhat later.In the meantime, OpenBSD-related presentations [including those fromnon-developers] can be found in therecordingsof the "Foyer B" streams.In addition, there was a full day PF tutorial with some updates to the publicly available slides.

Sebastian Benoit (benno@)announcedthe release ofversion 9.3ofrpki-client, the essential component for routing security.See the fullannouncement for further details.Key excerpts from the release announcement:Read more...

In a fediverse post,Damien Miller (djm@) announced the availability of the newOpenSSH version 9.9:

Claudio Jeker (claudio@)announcedthe release of version 8.6 ofOpenBGPD,the OpenBSD project'sBorder Gateway Protocol (BGP) daemon:

TheOpenBSD7.6 release cycle is entering its final phases...With the followingcommit,Theo de Raadt (deraadt@) moved -current to version 7.6:

Version 0.103of Game of Treeshas been released (and the portupdated).

Sebastian Benoit (benno@)announcedthe release ofversion 9.2ofrpki-client, the essential component for routing security.See the fullannouncement for further details.Here are some key excerpts from the release announcement:

All files from the original import ofOpenBSDhave now been modified (or deleted).Appropriately, Theo de Raadt (deraadt@)made thechange:

Version 0.102 of Game of Trees has been released and the port updated.

As an update to a earlier post...The BSDCan 2024 video playlist is now complete and available on bothYouTubeand Peertube.

As an update to a earlier post...The BSDCan 2024 video playlist is now complete and available on bothYouTubeand Peertube.

As an update to a earlier post...The BSDCan 2024 video playlist is now complete and available on bothYouTubeand Peertube.

OpenBSD -current has moved to 7.6-beta in preparation for the next release with this commit.The release is traditionally about November 1st, but we shall see what happens this year. Snapshots are already beginning to show up on the mirrors.

In an exciting move,Mike Larkin (mlarkin@)hasrequestedhardware forvmm(4)development on the arm64 platform:

Support for UDP parallel input[on which we reported previously]has beencommittedto -current by Alexander Bluhm (bluhm@):

UDP input is about to become faster and parallel on OpenBSD. In a message to tech@ titled UDP parallel input, Alexander Bluhm (bluhm@) offers a diff that enables parallel UDP input for -current.The message reads,

In this commit, Rafael Sadowski (rsadowski@) merged libva 2.22.0 into OpenBSD, enabling VA-API to accelerate video decoding and other hardware assisted operations:Read more...

In a recent post to tech@ titled let's make pf(4) anchors and tables better friends (possibly originating at the ongoing hackathon) Alexandr Nedvedicky (sashan@) introduced code to enable creating local tables inside anchors in pf(4) rulesets:

Version 0.101of Game of Treeshas been released (and the portupdated).

Crystal Kolipe writes in about a new article posted by the crew at Exotic Silicon on fun things to do with OpenBSD --

While we were busy with other things, Theo de Raadt (deraadt@) is continuing the work on bringing the clang option to clean return addresses off the stack, as reported upon earlier, to OpenBSD/arm64.Theo posted an early version of the code to tech@, saying

In a fediverse post, Damien Miller (djm@) announced the availability of the new OpenSSH version 9.8:

Friends, dhclient(8) in OpenBSD is no more, at least for those of us running -current.For some of us it is basically in muscle memory to type doas dhclient $wifiinterface when visiting somewhere, but from this day forward we will rely on dhcpleased(8) to do its job, which in my own experience does admirably.In this commit, Theo de Raadt (deraadt@), executed the removal.The commit message reads,

Patrick McEvoy aka BSDTV writes in,

The OpenBGPD project announced that a new version the Border Gateway Protocol dameon, OpenBGPD 8.5 has been released. The release comes with a number of new features and refinements, and marks another step in the development of secure and reliable routing management.The announcement reads:

Sebastian Benoit (benno@)announcedthe release ofversion 9.1ofrpki-client, the essential component for routing security.See the fullannouncement for further details.Here are some key excerpts from the release announcement:Read more...

In a fediverse post, Stefan Sperling (stsp@) announced a new hosting service:

When a new processor is released, how long would you expect it to take before your favorite operating system adds support for it?In the case of OpenBSD/arm64, the time lag can occasionally be measured in days if not hours.In a recent message to tech@, Patrick Wildt (patrick@) premiered the patch to add support for the Qualcomm Snapdragon Elite X processor the day after it was officially released.Patrick's message reads,

In a recent commit, Damien Miller (djm@) introduced the new sshd(8) configurations options, PerSourcePenalties and PerSourcePenaltyExemptList, to provide a built in facility in sshd(8) itself to penalize undesirable behavior, and to shield specific clients from penalty, respectively. The commit message reads,

In a recent commit, Damien Miller (djm@) introduced the new sshd(8) configurations options, PerSourcePenalties and PerSourcePenaltyExemptList, to provide a built in facility in sshd(8) itself to penalize undesirable behavior, and to shield specific clients from penalty, respectively. The commit message reads,

As noted earlier, OpenBSD-current now has IPv6 prefix delegation available via the new dhcp6leased(8) deamon.Now before he committed the code, Florian Obser (florian@) wrote a blog post on the process of developing the new program in a piece called DHCPv6-PD - First steps.The prologue leads in,