OpenBSD Journal

Rafael Sadowski (rsadowski@)completed updatesto C++ libraries in -current:

YubikeyOTPsupport has been disabled in -current.Thecommit messageexplains the rationale:

OpenSSHwill now adapt IP QoS to actual sessions and traffic.In a freshcommit,Damien Miller (djm@) introduced a significant change,which enables sshand sshdto set the IP QoS based on what connectionsand sessions are active.The commit message says,

Version 0.117of Game of Treeshas been released (and the portupdated):

In a recententryon his blog,OpenBSDdeveloper Ted Unangst (tedu@) asks,is OpenBSD 10x faster than Linux?.He explains,

OpenBSD users and aficionados are more likely than others to be familiar with the concept ofgreytrapping(the nastier kid sister ofgreylisting),as implemented via the OpenBSDspamd(8)spammer taunting software.The feature has now been around for 18 years, andundeadly.org co-editor Peter Hansteenfound that and another milestone to be a good reason to write a retrospective:

We have long been aware that OpenBSDand OpenSSHin general are at the very forefront of cryptography engineering.A recent data point here is that Damien Miller (djm@) justcommitteda newOpenSSH Post-Quantum CryptographyFAQ page to theOpenSSH web site:

A new opportunity for you to help improve the upcomingOpenBSD 7.8 release has turned up.If YOU have a USB webcam you are using or would like to use with our favorite operating system, Kirill Korinsky (kirill@) would like to hear from you after testing recent snapshots.Kirill'smessageto misc@ reads:

Development of important software sometimes happens without fanfare. If not for one of our editors noticing by watching commits, we would have missed the fact that Damien Miller (djm@)recently added a couple of notable features to OpenSSH:Read more...

The WiFI802.11standards are a gnarly lot, and checking for compatibility of the various sub-specifications has been known to drive even seasonedOpenBSD developers to the brink of distraction.Now Stefan Sperling (stsp@) is airing a possible improvement in compatibility checks via a message to tech@ titled "fix net80211 802.11g compatibility check", saying

Much longed for by some, remembered as a quaint memory by other greybeards,the classicCommon Desktop Environment(CDE) is being added to the ports collection. The initial commit message reads,

Version 0.116of Game of Treeshas been released (and the portupdated):

In a recent blog post When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, Rafael Sadowski (rsadowski@) takes a deep dive into an infrequently mentioned feature of our favorite operating system: file immutability and the chflags command. From the article:

In -current,the struct underlyingstdio(3)'sFILE typehas beenmade opaque, with library versions bumps across the board:

Inaseriesofcommits,Anthony J Bentley (bentley@)modified the system so that font caching runs asdedicated (unprivileged) user, "_fc-cache".fc-cache(1)has been usingpledge(2)since May.

Job Snijders (job@)has added (to -current) a new utility,watch(1),for periodically executing a command and displaying its output.TheIIJ'siwatchwas initiallyimportedback in May, and has beenreworked substantiallybefore beinglinked to the build.

Yes, you read that right:KDE 6.4.0 Plasmais now in OpenBSD packages.This was made possible by the efforts of Rafael Sadowski (rsadowski@) with the help of several others.The news was announced 2025-07-04 via afediverse postand of course thecommit messageitself, where the description reads

News from the Exotic Silicon front:Crystal Kolipe posted anupdateto misc@, saying

In afediverse poston 2025-07-04,the Game of Trees Hubannounced that they will be taking signups for repository hosting:

Version 0.115of Game of Treeshas been released (and the portupdated):

Version 0.114of Game of Treeshas been released (and the portupdated):

In a fediverse post,Stefan Sperling (stsp@) asks for testing of a potential fixfor a problem affecting a number of network interface drivers(namely bge,bnx,iavf,igc,ix,ixl,ngbe andpcn),pointing to amessageon tech@ with the subjectbge/bnx/iavf/igc/ix/ixl/ngbe/pcn: ifq_restart() fix that reads

Fresh from the recently concludedj2k25 hackathon comes this report from Klemens Nanni (kn@), who writes:

In some cases, the currentdhcpd(8)is not quite as reliable as one would want in providing the requesteddata to the actual requestor.After some rounds of discussion and experimentation,David Gwynne (dlg@) is circulating adiffon tech@ that switches the daemon to useUDPsockets instead ofbpf.The motivation is summarized as,

In a long series ofcommits,Robert Nagy (robert@)updatedclang(1)/llvm/lld(1)in -current to version 19.1.7 (from version 16.0.6):

Kristaps Dzonsons(known formandoc(1),rpki-client(8),and much more)has written an article,Source code sandboxing,on sandboxingfrom the perspective of developers.It compares the facilities available under severaloperating systems, and requests relevantcontributions.As Undeadly readers might expect, OpenBSD'spledge(2)andunveil(2)receive favourable appraisal.Kristaps' article refers toSandboxing Adoption in Open Source Ecosystems,an academic article published on the subject.[In 2016, Undeadly publishedKristaps Dzonsons on pledge(2).]

Following adiscussion on tech@[initiated by a post with patch from Ted Unangst (tedu@)],the"TearFree" option has beenbackportedto the xenocaramodesetting(4)driver in -current:

Rafael Sadowski (rsadowski@),OpenBSD developer and prolific blogger,has been looking into file system performance optimizations on our favoriteoperating system, and is now sharing his tips and tricks inFFS optimizations with dirhash on his blog. He leads in with a TL;DR:

Version 0.113of Game of Treeshas been released (and the portupdated):

In a multi-part article, kraileth reviews the installers of various BSD operating systems.Part 2covers OpenBSD:

Fresh from the just concludedj2k25 hackathonin Nara, Japan, Rafael Sadowski (rsadowski@) has published his report on his blog:

Reining in file system access is hard to get right, even forOpenBSD developers. In a message to tech@ titledopenat(2) is mostly useless, sadlyTheo de Raadt (deraadt@) describes how theopenat(2)family of system calls has failed to live up to expectations in practice,and he proposes changes that may improve the situation.Theo writes,

Recently, Crystal Kolipe found that attachingsoftraidvolumes as read-only devices did not work.Then what to do?Fix the code and make it work, of course!The full story is available asStay, (write), protected!",taking us through the steps of adding a feature toOpenBSD. Enjoy!

A new profiling subsystem is now in OpenBSD-current, from the hands of none other than Theo de Raadt (deraadt@) himself.A longish sequence of commitsintroducedthechangesincrementally,with asummary as follows:

Are you an OpenBSD user with a low power device such as aPC EnginesAPU2,with one or moreem(4)network interfaces?Darren Tucker (dtucker@) has a new diff out that may be of use to you,posted in amessageto tech@:

Kirill A. Korinsky (kirill@)writes in with hisguideto setting up anEdgeRouter 4withOpenBSD/octeonto provide a failover gateway/router setup:

erspan(4),the ERSPAN collection driver created byDavid Gwynne (dlg@)[and about which we recentlyreported]has beencommittedto the tree:

Version 0.112of Game of Treeshas been released (and the portupdated):

Omar Polo (op@) hasannouncedthe release of version 7.7.0p0 ofOpenSMTPD:

Our favorite operating system is in the process of aquiring Encapsulated Remote Switch Port Analyzer (ERSPAN) support, in the form of a new virtual network interface, dubbed erspan(4).An early version of the code, but possibly close to being ready for further development in-tree waspresentedby David Gwynne (dlg@) in amessage to tech@:

Over on tech@, Ted Unangst (tedu@) isairinga patch to introduce better support ACPI WMI,looking for tests and comments:

Alexander Bluhm (bluhm@) hascommittedchanges which eliminate contentionby caching the socket lock in TCP input:

Following its recent introduction on tech@[See earlier article],David Gwynne (dlg@)hascommittedbpflogd(8)to the tree:

Following its recent introduction on tech@[See earlier article],David Gwynne (dlg@)hascommittedlldpd(8)to the tree:

Damien Miller (djm@) hascompletedthe planned[See previousarticles]removal of DSA signature support from OpenSSH:

In a message to tech@ with the subject"die DSA die", Damien Miller (djm@) presents a diff that will remove the last bits of DSA support from OpenSSH:

A longdiscussionon tech@(initiated by asuggestion/patch from Jesper Wallin)has culminated in Damien Miller (djm@)committingchanges which increase security by taking advantage of the use ofunveil(2)elsewhere in the OpenBSD ecosystem:

Klemens Nanni (kn@) hascommittedthe his proposed change[Seeprevious article]such that theOpenBSD installer now prefers disks over 1GBwhen prompting for the root disk.The commit message explains the change:

You can tell it's right after a release is cut when new ideas are fielded in patches to tech@.One such small but potentially important change that is being aired now is achangeto the installer to suggest the larger one when several disks are available. Klemens Nanni (kn@) describes the motivation for the change as

In apostto tech@,Martin Pieuchot (mpi@)has requested testing of a diff (against -current) to enablerunning the upper part of the fault handler in parallel: