OpenBSD Journal

The BSDCan 2025 video playlist is now complete and available on both Peertube and Youtube.

The OpenBSD focused talks are as follows:

• A distributed filesystem for OpenBSD by Rob Keizer
  • PT
  • YT
• The state of 3d-printing from OpenBSD by Andrew Hewus Fresh
  • PT
  • YT
• Confidential Computing with OpenBSD The Next Step by Hans Jörg Höxer
  • PT
  • YT
• Adventures in porting a Wayland Compositor to NetBSD and OpenBSD by Jeff Frasca
  • PT
  • YT

With this commit, the development slows into release-mode preparing for the 7.8 release of OpenBSD.

The commit message reads,

List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Theo de Raadt <deraadt () cvs ! openbsd ! org> Date: 2025-09-10 15:58:20 CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2025/09/10 10:00:04 Modified files: etc/root : root.mail sys/sys : param.h share/mk : sys.mk sys/arch/macppc/stand/tbxidata: bsd.tbxi usr.bin/signify: signify.1 sys/conf : newvers.sh Log message: crank to 7.8-beta

7.8-beta snapshots are already starting to appear on OpenBSD mirrors.

Time to bring out your odd machines and give snapshots a go, if we want 7.8 to be the best release yet.

Version 0.118 of Game of Trees has been released (and the port updated):

• security fix for -portable: gotwebd can be tricked into reading repositories outside its repos_path; bug introduced in got-0.111; OpenBSD is not affected
• make 'tog diff' show the repository name in names of patches written to /tmp
• plug memory leaks which were making gotwebd regress tests fail
• fix parallel processing of requests in gotwebd, improving responsiveness
• set gotwebd pledges according to address families of listening sockets
• run gotwebd fcgi parameter parsing in a dedicated process under pledge "stdio"
• make gotd commit notifications only show history which is unique to the branch
• enable sftp/scp support in the sshd_config file generated by gotsysd
• make gotsysd-managed repositories readable for the _gotd group

OpenBSD -current has gained initial support for the Raspberry Pi 5:

CVSROOT: /cvs Module name: src Changes by: mglocker@cvs.openbsd.org 2025/09/01 12:56:04 Modified files: distrib/arm64/iso: Makefile distrib/arm64/ramdisk: Makefile install.md list Log message: Add Raspberry Pi 5 Model B support for RAMDISK.

Read more…

Rafael Sadowski (rsadowski@) completed updates to C++ libraries in -current:

CVSROOT: /cvs Module name: src Changes by: rsadowski@cvs.openbsd.org 2025/08/21 09:26:58 Modified files: gnu/lib/libcxx : Makefile gnu/lib/libcxx/include/c++/v1: __config_site gnu/lib/libcxxabi: Makefile gnu/lib/libexecinfo: Makefile Added files: gnu/lib/libcxx/include/c++/v1: __assertion_handler Log message: update build infrastructure for libunwind-, libcxxabi- and libcxx-19.1.7 This gives us a modern c++ lib in base!

Read more…

Yubikey OTP support has been disabled in -current. The commit message explains the rationale:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2025/08/14 08:39:44 Modified files: sys/dev/usb : ukbd.c Log message: Most Yubikey ship with OTP support enabled out of the box (and generate accidental output like cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk). Yubikey re-configuration requires crazy buggy and fragile tools using crazy usb feature support, and therefore OTP disabling is very annoying. We make a policy decision to not attach these as keyboards anymore, because a majority of users just want the FIDO functionality. If you want to use OTP, buy a different device from a different vendor or convince Yubikey to significantly improve their tooling. idea from kettenis

To be clear: this affects only the keyboard attachment of only Yubico devices. Therefore:

• USB security devices from other vendors are not affected.
• FIDO functionality of Yubikeys (and Yubico security keys) is not affected.
• login_yubikey(8) can no longer be used for local authentication purposes, but will still function for authentication of remote clients (so long as they support Yubikey OTP).

Running a patched kernel is the only way [at present] to reverse this change.

OpenSSH will now adapt IP QoS to actual sessions and traffic. In a fresh commit, Damien Miller (djm@) introduced a significant change, which enables ssh and sshd to set the IP QoS based on what connections and sessions are active.

The commit message says, List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Damien Miller <djm () cvs ! openbsd ! org> Date: 2025-08-18 3:43:01 CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/08/17 21:43:01 Modified files: usr.bin/ssh : sshd-session.c sshd-auth.c ssh.c session.c serverloop.c packet.h packet.c mux.c misc.c clientloop.c channels.h channels.c Log message: Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS) continually at runtime based on what sessions/channels are open.

Read more…

Version 0.117 of Game of Trees has been released (and the port updated):

• regress: replace "sed -i" with ed(1) for portable in-place editing
• ensure that error messages from gotsysd libexec helpers get logged
• fix gotsysd using wrong auth and hmac labels in the generated gotd.conf
• preserve bad symlinks across merges during rebase and histedit
• improve binary files detection: detect any control characters, not just NUL
• gotwebd: fix race condition resulting in trucated html with trailing garbage
• make commit coloring faster and more accurate, producing smaller pack files
• improve selection of pack files for pinning in the open pack file cache
• regress: don't load global/home git configuration files while running tests
• make 'got clone' set a got.conf default branch for fetching only, not sending

In a recent entry on his blog, OpenBSD developer Ted Unangst (tedu@) asks, is OpenBSD 10x faster than Linux?. He explains,

Here’s a little benchmark complements of Jann Horn. It’s unexpectedly slow on Linux. OpenBSD is so fast, I had to modify the program slightly to measure itself, as the time utility is missing sufficient precision to even record nonzero. Go on, read the rest over at Ted's blog for some fun tidbits on performance and benchmarks.

OpenBSD users and aficionados are more likely than others to be familiar with the concept of greytrapping (the nastier kid sister of greylisting), as implemented via the OpenBSD spamd(8) spammer taunting software.

The feature has now been around for 18 years, and undeadly.org co-editor Peter Hansteen found that and another milestone to be a good reason to write a retrospective: Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to woo the unwary spammer rolled past the number of inhabitants in my home country of Norway. It's time for a retrospective.

So I wrote up one: Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? (also available with G's trackers here) is a retrospective article with data and graphs.

That's right, we've been making life harder for spammers for 18 years. Peter's writeup has links to data, and more field notes and war stories than he could actually remember writing when he started on the retrospective.

We have long been aware that OpenBSD and OpenSSH in general are at the very forefront of cryptography engineering.

A recent data point here is that Damien Miller (djm@) just committed a new OpenSSH Post-Quantum Cryptography FAQ page to the OpenSSH web site:

List: openbsd-cvs Subject: CVS: cvs.openbsd.org: www From: Damien Miller <djm () cvs ! openbsd ! org> Date: 2025-08-11 5:26:51 CVSROOT: /cvs Module name: www Changes by: djm@cvs.openbsd.org 2025/08/10 23:26:51 Added files: openssh : pq.html

Read more…

A new opportunity for you to help improve the upcoming OpenBSD 7.8 release has turned up. If YOU have a USB webcam you are using or would like to use with our favorite operating system, Kirill Korinsky (kirill@) would like to hear from you after testing recent snapshots.

Kirill's message to misc@ reads: Subject: Call for testing: USB webcams From: Kirill A. Korinsky <kirill () korins ! ky> Date: 2025-08-06 13:27:31 misc@, the latest snapshots for amd64 and arm64 (I haven't checked other architectures) include my recent changes to add support for H.264 streams from USB webcams.

Read more…

Development of important software sometimes happens without fanfare. If not for one of our editors noticing by watching commits, we would have missed the fact that Damien Miller (djm@) recently added a couple of notable features to OpenSSH:

Read more…

The WiFI 802.11 standards are a gnarly lot, and checking for compatibility of the various sub-specifications has been known to drive even seasoned OpenBSD developers to the brink of distraction.

Now Stefan Sperling (stsp@) is airing a possible improvement in compatibility checks via a message to tech@ titled "fix net80211 802.11g compatibility check", saying

List: openbsd-tech Subject: fix net80211 802.11g compatibility check From: Stefan Sperling <stsp () stsp ! name> Date: 2025-07-31 10:26:18 I have a WIP fix for qwx which relies on ieee80211_iserp_sta() to detect whether an AP supports 802.11g, rather than 802.11b only. And I encountered an access point which qwx could not connect to when my WIP fix is applied.

Read more…

Much longed for by some, remembered as a quaint memory by other greybeards, the classic Common Desktop Environment (CDE) is being added to the ports collection.

The initial commit message reads,

List: openbsd-ports-cvs Subject: CVS: cvs.openbsd.org: ports From: Antoine Jacoutot <ajacoutot () cvs ! openbsd ! org> Date: 2025-07-28 12:35:38 CVSROOT: /cvs Module name: ports Changes by: ajacoutot@cvs.openbsd.org 2025/07/28 06:35:38 Log message: Import cde-2.5.2 CDE - The Common Desktop Environment is X Windows desktop environment that was commonly used on commercial UNIX variants such as Sun Solaris, HP-UX and IBM AIX. Developed between 1993 and 1999, it has now been released under an Open Source licence by The Open Group.

Read more…

Version 0.116 of Game of Trees has been released (and the port updated):

• make our pack-refs header format align with the expectations of git 2.50.0
• fix bogus "bad offset in pack file" errors wrongly raised by gotd
• fix gotd branch protection rejecting commits that already exist on server
• pick a default branch to clone when the server does not advertise HEAD symref
• do not clobber changes staged via stage -p during "got revert"
• enforce additional restrictions on reference names specified in gotsys.conf
• change gotwebd favicons to show the smiley fish only
• fix gotd reload when /etc/gotd-secrets.conf is used
• fix bogus "raw object has unexpected size" errors during deltification
• fix bug in delta block stretch size calculation resulting in invalid deltas
• fix gotsysd behaviour when the anonymous user is removed from gotsys.conf
• add support for email and http/json notifications to gotsysd and gotsys.conf

In a recent blog post When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, Rafael Sadowski (rsadowski@) takes a deep dive into an infrequently mentioned feature of our favorite operating system: file immutability and the chflags command. From the article:

" ... anyone who’s ever had to investigate a security incident knows the harsh reality: logs are only as trustworthy as their protection against post-incident tampering. An attacker who gains root access isn’t going to politely leave their tracks in the log files – unless they physically can’t alter them anymore."

Read the whole thing, When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, over at Rafael's site!

In -current, the struct underlying stdio(3)'s FILE type has been made opaque, with library versions bumps across the board:

CVSROOT: /cvs Module name: src Changes by: yasuoka@cvs.openbsd.org 2025/07/16 09:33:05 Modified files: lib/libc : Symbols.list shlib_version lib/libc/hidden: stdio.h wchar.h lib/libc/stdio : Makefile.inc fclose.3 fclose.c findfp.c lib/libcrypto : shlib_version lib/libcurses : shlib_version lib/libedit : shlib_version lib/libexpat : shlib_version lib/libfido2 : shlib_version lib/libfuse : shlib_version

Read more…

In a series of commits, Anthony J Bentley (bentley@) modified the system so that font caching runs as dedicated (unprivileged) user, "_fc-cache".

fc-cache(1) has been using pledge(2) since May.

Job Snijders (job@) has added (to -current) a new utility, watch(1), for periodically executing a command and displaying its output.

The IIJ's iwatch was initially imported back in May, and has been reworked substantially before being linked to the build.